I'm not sure how to phrase this question correctly so please excuse me if it doesn't make sense.

In my current company we have a Change Management process that has been established for a number of years. In understanding more of the ITIL world over the past year, what we currently have is by no means perfect, or even really that good. But it is a process that is followed by most groups in my org.

In reading some whitepapers of identifying changes, I have seen many graphs that talk about the Change Management maturity level, currently I believe my company to be in the "On Your Honor" level - There is a process, you should follow it. But there is no real ramifications if you don't and we really won't know if you follow it or not anyway. - In an effort to change this somewhat I am stuck with the question of: How can you identify unauthorized changed, without using Tripwire, or other related software?

Tripwire has been a hot topic at our company and there have been a few projects to implement it on a larger scale, but these have been postponed due to financial constraints. While I understand that Tripwire, or other detective controls are extremely powerful, I am wondering if there are other methods for indentifying changes that, while may be more time consuming, are something that might be quciker to implement, and gain some short term benefit.

So question for the masses: Other than software, what other methods can I employ to help in identifying unauthorized changes to my environments, so that I can better understand where to improve my processes?

Service Desk incidents often prove a good pointer to an unauthorised change. The biggest cause of incidents is change. If you dig deeper into an incident that you cannot relate to a change then you may well find an unauthorised change.

Other sources:

Word of mouth etc is a surprisingly effective tool! (keep your ear to the ground)

Minutes of Meetings (discussing changes you haven't heard about!)

If you have a CMDB any inconsistencies with the real world could be caused by unauthorised change (or failure to update CMDB)

Physical and Electronic audits of the infrastructure against what is documented.

Hope these help, but yes I agree to be effective you really need a tool.

Agreed with the previous posters. Without either automated tools or people in place to conduct audits, your other options would be to keep your ears open. That might be a bit hard if you work in a large or even medium size company.

In my last place of employment we've had somewhat similar situation although most changes have been logged in the ticketing app. However, there was no formal approval or review process and consequenlty for the most part it all reduced down to the 'Honor system'. Which, as you may have figured did not work out great. Not because people are dishonest, but because as a creator of change you tend to think that it's perfect

Anyway, my approach would be to start soliciting equally minded individuals from different team to start monitor any changes that happen in their respective groups. You're still not going to catch every unauthorized change, however, you will get a clearer picture as to what's going on.

If the overall goal is to get rid of such changes, there is no way you can do it without changing your Change Management process to ensure proper roles and procedures are in place to exersice control of the process.

Sorry, my answer might be a bit vague, but it is kind of hard to answer definitively without having enough detail on the issue.

Agreed with the previous posters. Without either automated tools or people in place to conduct audits, your other options would be to keep your ears open. That might be a bit hard if you work in a large or even medium size company.

In my last place of employment we've had somewhat similar situation although most changes have been logged in the ticketing app. However, there was no formal approval or review process and consequenlty for the most part it all reduced down to the 'Honor system'. Which, as you may have figured did not work out great. Not because people are dishonest, but because as a creator of change you tend to think that it's perfect

Anyway, my approach would be to start soliciting equally minded individuals from different team to start monitor any changes that happen in their respective groups. You're still not going to catch every unauthorized change, however, you will get a clearer picture as to what's going on.

If the overall goal is to get rid of such changes, there is no way you can do it without changing your Change Management process to ensure proper roles and procedures are in place to exersice control of the process.

Sorry, my answer might be a bit vague, but it is kind of hard to answer definitively without having enough detail on the issue.

"How can you identify unauthorized changes, without using Tripwire, or other related software?". This is a very valid question but if you manage to answer it you will only get an idea of how many unauthorized changes there are, which leads to another question of what the organizational response will be to unauthorized changes so as to minimize them in the future.

Instead you could just skip the middle man and suppose its 50% unauthorized changes. If you don't have the money or time to buy tools or rumage around in incident records, my advice would be to ask another question "why would people not follow change management?"